Bug 279942

Summary:	Can not connect with 802.1x TLS secured wired network
Product:	[Unmaintained] Network Management	Reporter:	FilipK <don333>
Component:	Plasma Widget	Assignee:	Sebastian Kügler <sebas>
Status:	RESOLVED UNMAINTAINED
Severity:	normal	CC:	afiestas, dima, ilia-kats, johnsc301, lamarque, wstephenson
Priority:	NOR
Version:	0.9
Target Milestone:	---
Platform:	openSUSE
OS:	Linux
Latest Commit:		Version Fixed In:
Sentry Crash Report:
Attachments:	Log fragment of /var/log/NetworkManager using nm-applet to connect Log of /var/log/NetworkManager using nm-applet to connect after disabling 2 troubling scripts Log of /var/log/NetworkManager using plasmoid to connect after disabling 2 troubling scripts Log of /var/log/NetworkManager using plasmoid from git to connect Log of /var/log/NetworkManager using plasmoid from git to connect with client cert supplied .xsession-errors log .xsession-errors log .xsession-errors log .xsession-errors log with no stripping

Description FilipK 2011-08-12 07:45:55 UTC

Created attachment 62767 [details]
Log fragment of /var/log/NetworkManager using nm-applet to connect

Version:           0.9 (using KDE 4.6.0) 
OS:                Linux

Network plasmoid (0.9.svn1192577-7.2, tried 0.9.1git20110503-8.1 from KDE:/UpdatedApps repository as well) in KDE 4.6 will not allow connecting to a wired network that uses 802.1x security (TLS authentication). I can edit the connection details and save it so that the connection appears on the plasmoid's list, but clicking on the connection name doesn't give any result (meaning no visible indication that the connection is trying to be established and no notification of a failure).

A hint for me is that even though I explicitly set a file for the CA certificate, after saving and opening the connection details again, "Use system CA certs" is selected (I make sure to leave it unchecked when saving) and the CA certificate file input box is grayed out.

I can connect successfully using the Gnome GUI version (nm-applet), using the same dialog and entering the very same details. CA certificate file input box stays like I entered it using nm-applet.

Reproducible: Always

Steps to Reproduce:
1. Choose "Edit connections" from plasmoid's context menu.
2. Add new wired connection.
3. Enable 802.1x security for that connection.
4. Leave "TLS authentication", set "identity", choose CA certificate and private key files, enter private key password.
5. Save connection.
6. Click on the connection name on the Network Management plasmoid list.

Actual Results:  
No visible results, connection is not established.

Expected Results:  
Connection is established, like when using nm-applet.

OS: openSUSE 11.4 64 bit
NetworkManager version: 0.8.2-15.24.1
NetworkManager-kde version: 0.9.svn1192577-7.2
NetworkManager-gnome version: 0.8.2-9.10.1

qdbus information for the connection using KDE plasmoid:
> qdbus --system --literal org.freedesktop.NetworkManagerUserSettings /org/freedesktop/NetworkManagerSettings/0 org.freedesktop.NetworkManagerSettings.Connection.GetSettings
[Argument: a{sa{sv}}
 {"802-1x" = [Argument: a{sv}
  {"ca-cert" = [Variant(QByteArray): {48, -126, 4, -25, 48, ...}],
   "ca-path" = [Variant(QString): "/home/filip/Documents/CA.der"],
   "eap" = [Variant(QStringList): {"tls"}],
   "identity" = [Variant(QString): "filip@example.com"],
   "private-key" = [Variant(QByteArray): {48, -126, 10, 81, ...}],
   "system-ca-certs" = [Variant(bool): true]}],
 "802-3-ethernet" = [Argument: a{sv} {}],
 "connection" = [Argument: a{sv}
  {"autoconnect" = [Variant(bool): true],
   "id" = [Variant(QString): "pcss"],
   "type" = [Variant(QString): "802-3-ethernet"],
   "uuid" = [Variant(QString): "3c487de3-a025-4876-b14a-417ea4895ec8"]}],
 "ipv4" = [Argument: a{sv}
  {"addresses" = [Variant: [Argument: aau
    {[Argument: au {3415604886, 24, 4271242902}]}]],
      "dns" = [Variant: [Argument: au {61734550}]],
      "method" = [Variant(QString): "manual"]}]}]

qdbus information for the connection using Gnome nm-applet:
> qdbus --system --literal org.freedesktop.NetworkManagerUserSettings /org/freedesktop/NetworkManagerSettings/0 org.freedesktop.NetworkManagerSettings.Connection.GetSettings
[Argument: a{sa{sv}}
 {"connection" = [Argument: a{sv}
  {"id" = [Variant(QString): "pcss"],
   "uuid" = [Variant(QString): "cfc5fa2b-f32a-4de5-8960-76e41ed4c4a8"],
   "timestamp" = [Variant(qulonglong): 1313130082],
   "type" = [Variant(QString): "802-3-ethernet"]}],
 "802-1x" = [Argument: a{sv}
  {"identity" = [Variant(QString): "filip@example.com"],
   "eap" = [Variant(QStringList): {"tls"}],
   "ca-cert" = [Variant(QByteArray): {102, 105, 108, ...}],
   "client-cert" = [Variant(QByteArray): {102, 105, 108, ...}]}],
 "ipv4" = [Argument: a{sv}
  {"routes" = [Variant: [Argument: aau {}]],
   "addresses" = [Variant: [Argument: aau
    {[Argument: au {3415604886, 24, 4271242902}]}]],
      "dns" = [Variant: [Argument: au {61734550}]],
      "method" = [Variant(QString): "manual"],
      "802-3-ethernet" = [Argument: a{sv}
       {"s390-options" = [Variant: [Argument: a{ss} {}]],
        "duplex" = [Variant(QString): "full"]}],
      "ipv6" = [Argument: a{sv}
       {"addresses" = [Variant: [Argument: a(ayuay) {}]],
        "dns" = [Variant: [Argument: aay {}]],
        "method" = [Variant(QString): "ignore"],
        "routes" = [Variant: [Argument: a(ayuayu) {}]]}]}]

Comment 1 Lamarque V. Souza 2011-08-12 12:05:56 UTC

The log file you attached indicates that two of your dispatch scripts ended with errors, could you please fix those errors or remove those scripts and try again?

Comment 2 FilipK 2011-08-17 07:05:51 UTC

Created attachment 62889 [details]
Log of /var/log/NetworkManager using nm-applet to connect after disabling 2 troubling scripts

Comment 3 FilipK 2011-08-17 07:06:21 UTC

Created attachment 62890 [details]
Log of /var/log/NetworkManager using plasmoid to connect after disabling 2 troubling scripts

Comment 4 FilipK 2011-08-17 07:07:33 UTC

I've disabled the two scripts and tried again with both the plasmoid and nm-applet. The results are the same (logs attached - sorry I didn't send NetworkManager logs from using plasmoid before).

Comment 5 Ilia Kats 2011-08-23 16:50:44 UTC

Could you try to compile and install the current git master? I think this should be fixed there.

Comment 6 FilipK 2011-08-25 09:48:47 UTC

Created attachment 63134 [details]
Log of /var/log/NetworkManager using plasmoid from git to connect

Unfortunately after trying latest Network Management plasmoid from git I still can not establish the connection. There is an improvement however as I am able to select a CA certificate file and not have plasmoid it overwrite with "Use system CA certs" after saving.

I am curious if perhaps the message "NetworkManager[5066]: <warn> invalid connection: 'NMSetting8021x' / 'client-cert' invalid: 2" isn't suggesting that the plasmoid doesn't like an empty "User certificate" field (I always use "CA certificate" together with "Private key" and leave "User certificate" empty - that way it works using Gnome nm-applet and these are the settings I use when manually configuring wpa_supplicant).

Comment 7 Ilia Kats 2011-08-25 10:14:59 UTC

That's interesting, since the nm-applet settings in your first post have a client-cert field, but no private-key field. Could you verify that you select identical settings and post them here again, for both nm-applet and Plasma NM?

Comment 8 Ilia Kats 2011-08-25 11:34:12 UTC

OK, I've been reading libnm-util source code, and stumbled onto this interesting piece of code:
/* As required by NM and wpa_supplicant, set the client-cert
	 * property to the same PKCS#12 data.
	 */
	if (format == NM_CRYPTO_FILE_FORMAT_PKCS12) {
		if (priv->client_cert)
			g_byte_array_free (priv->client_cert, TRUE);

		priv->client_cert = g_byte_array_sized_new (priv->private_key->len);
		g_byte_array_append (priv->client_cert, priv->private_key->data, priv->private_key->len);
	}

Apparently, if your private key is in PKCS12 format (which can contain both client certificate and private key), the client cert is set to the same file automatically, and as far as I can see from your logs, you have a PKCS12 key. Could you just select the same file for the client cert as for the private key in Plasma NM and try again?

Comment 9 FilipK 2011-08-25 13:45:02 UTC

As for supplying values for input fields in the plasmoid and nm-applet I am sure I always use the same - "Identity", "CA certificate", "Private key" and "Private key password". For confirmation, here is the configuration for wpa_supplicant that I use for ifconfig (I don't have nm-applet enabled and Network plasmoid does still not work):

ctrl_interface=/var/run/wpa_supplicant                                          
ctrl_interface_group=0                                                          
ap_scan=0                                                                       
network={                                                                       
  key_mgmt=WPA-EAP                                                              
  proto=WPA2                                                                    
  pairwise=CCMP TKIP                                                            
  eap=TLS                                                                       
  identity="filip@example.com"
  ca_cert="/home/filip/Documents/PSNC.der"
  private_key="/home/filip/Documents/filip@example.com.p12"
  private_key_passwd="SECRET"
}

Comment 10 FilipK 2011-08-25 13:48:59 UTC

Created attachment 63138 [details]
Log of /var/log/NetworkManager using plasmoid from git to connect with client cert supplied

I tried entering the same file as "Client certificate". The outcome is different - plasmoid does initiate connection establishment (there is visible confirmation). Shortly after that I get a popup asking me to provide credentials (even though I entered my private key secret). No matter what do I enter in the secret field, the popup reappears.

I've also tried converting the PKCS12 certificate to PEM format and use that instead. The results are the same as with PKCS12.

Comment 11 Ilia Kats 2011-08-25 14:58:47 UTC

Can you attach your ~/.xsession-errors?

Comment 12 FilipK 2011-08-26 06:03:35 UTC

Created attachment 63149 [details]
.xsession-errors log

I've cleared .xsession-errors before restarting the network service and the logs are from clicking OK in YAST Network Settings to the settings window disappearing (the 802.1x-secured connection is set to connect automatically).

Comment 13 Ilia Kats 2011-08-26 08:22:02 UTC

The log doesn't contain anything related to Plasma NM. Can you run kdebugdialog and verify that all components of NetworkManagement are writing debug output?

Comment 14 FilipK 2011-08-29 07:23:12 UTC

Created attachment 63208 [details]
.xsession-errors log

I checked all possible NetworkManager-related options in kdebugdialog. There's little difference in .xsession-errors however.

Comment 15 Ilia Kats 2011-08-29 10:16:34 UTC

Can you add -DCMAKE_BUILD_TYPE=Debug to the cmake command line, recompile and check again?

Comment 16 FilipK 2011-08-30 14:28:22 UTC

Created attachment 63238 [details]
.xsession-errors log

Stripped .xsession-errors after reboot, recompiled with DEBUG.

Comment 17 Ilia Kats 2011-08-30 16:09:20 UTC

Better, but I don't see anything indicating that a connection was activated, much less passwords were fetched by NM. When you say you "stripped" it, are you sure you didn't strip too much? Can you try disconnecting, clearing your .xsession-errors, connecting manually and attaching the resulting .xsession-errors?

Comment 18 FilipK 2011-09-06 10:21:54 UTC

Created attachment 63433 [details]
.xsession-errors log with no stripping

I've disabled every option and enabled all network-related options in kdebugdialog. Then rebooted with clear .xsession-errors.

Comment 19 Lamarque V. Souza 2011-09-06 15:27:01 UTC

This line in the log indicates NetworkManager is not running:

kded(3896)/networkstatus NetworkStatusModule::status:  status:  0

or at least networkstatus module lost contact with NetworkManager. The log still does not show any signal that a connection is in progress. Also, you used 0.9.1git20110503-8.1 to create that log, right? Do not use 0.9.svn1192577-7.2, it is too old (almost a year) and several things changed since then.

This is line has something wrong:

NetworkInterfaceActivatableProvider::handleAdd: Added connection is  "802-11-wireless"  interface type:  1  name:  "eth0"  driver:  "r8169"

the connection type should be wired, not wireless, although "interface type: 1" indicates it is indeed ethernet.

Comment 20 FilipK 2011-09-07 08:42:59 UTC

(In reply to comment #19)
> This line in the log indicates NetworkManager is not running:
> 
> kded(3896)/networkstatus NetworkStatusModule::status:  status:  0
> 
> or at least networkstatus module lost contact with NetworkManager. The log
> still does not show any signal that a connection is in progress.
>
That is right and that's what I wrote in the original bug description - "No visible results, connection is not established." I can't make the networkmanager plasmoid connect neither by clicking on the connection name nor by setting it to autoconnect and restarting network using Yast.

> Also, you used 0.9.1git20110503-8.1 to create that log, right? Do not use
> 0.9.svn1192577-7.2, it is too old (almost a year) and several things
> changed since then.
> 
I'm using a version pulled from KDE git repo. The last commit I can see in that version is 939be70cb264048f0c4ca19bb4bdea901674b1ac and this is the version I used when generating the .xsession-errors log.

> This is line has something wrong:
> 
> NetworkInterfaceActivatableProvider::handleAdd: Added connection is 
> "802-11-wireless"  interface type:  1  name:  "eth0"  driver:  "r8169"
> 
> the connection type should be wired, not wireless, although "interface type: 1"
> indicates it is indeed ethernet.
>
I don't know where does "802-11-wireless" come from, the connection is certainly a wired one.

Comment 21 Lamarque V. Souza 2011-09-07 08:57:24 UTC

(In reply to comment #20)
> (In reply to comment #19)
> > This line in the log indicates NetworkManager is not running:
> > 
> > kded(3896)/networkstatus NetworkStatusModule::status:  status:  0
> > 
> > or at least networkstatus module lost contact with NetworkManager. The log
> > still does not show any signal that a connection is in progress.
> >
> That is right and that's what I wrote in the original bug description - "No
> visible results, connection is not established." I can't make the
> networkmanager plasmoid connect neither by clicking on the connection name nor
> by setting it to autoconnect and restarting network using Yast.

That happens when NetworkManager invalidates the connection, which is the case here. The message

NetworkManager[5066]: <warn> invalid connection: 'NMSetting8021x' / 'client-cert' invalid: 2

is not a warning, it is error message indeed. When it appears NM refuses to activate the connection.

Comment 22 FilipK 2011-09-16 06:23:06 UTC

(In reply to comment #21)
> 
> NetworkManager[5066]: <warn> invalid connection: 'NMSetting8021x' /
> 'client-cert' invalid: 2
> 
> is not a warning, it is error message indeed. When it appears NM refuses to
> activate the connection.

Anything I could do about that? Perhaps you could point me at the source files to look at?

Comment 23 Lamarque V. Souza 2011-09-16 18:47:30 UTC

(In reply to comment #22)
> (In reply to comment #21)
> > 
> > NetworkManager[5066]: <warn> invalid connection: 'NMSetting8021x' /
> > 'client-cert' invalid: 2
> > 
> > is not a warning, it is error message indeed. When it appears NM refuses to
> > activate the connection.
> 
> Anything I could do about that? Perhaps you could point me at the source files
> to look at?

Comment #8 explains what is happening. We need to implement that to really fix this problem.

Comment 24 Will Stephenson 2011-12-08 11:40:41 UTC

Reassign Network Management bugs to new maintainer.  Have a lot of fun, Lamarque!

Comment 25 FilipK 2011-12-27 15:23:52 UTC

I've just upgraded my system to OpenSUSE 12.1 that has NetworkManager 0.9.1.90 and plasmoid-networkmanagement version 0.9.1git20111027. To my great relief I can finally say that 802.1x TLS security in wired (and wireless - tried that too) connections using KDE 4.7 network plasmoid WORKS!

The only inconvenience is that I have to input both "User certificate" and "Private key" fields even though the first one isn't necessary. That however might be because I have the certificate in a PKCS12 file. Other than that it's all running fine.

Comment 26 Lamarque V. Souza 2012-07-23 02:46:01 UTC

Git commit 7fba026cd423d02e25cf5c58d60bfd5db145ea51 by Lamarque V. Souza.
Committed on 23/07/2012 at 04:44.
Pushed by lvsouza into branch 'master'.

Add two tooltips to explain how to correctly configure TLS encryption
using PKSC12 private keys.

M  +10   -2    libs/ui/security/eapmethodtlsbase.ui

http://commits.kde.org/networkmanagement/7fba026cd423d02e25cf5c58d60bfd5db145ea51

Comment 27 Lamarque V. Souza 2012-07-23 02:48:59 UTC

Git commit f6b78e47d72dfeb5e7100cff285e487857ccbd4c by Lamarque V. Souza.
Committed on 23/07/2012 at 04:44.
Pushed by lvsouza into branch 'nm09'.

Add two tooltips to explain how to correctly configure TLS encryption
using PKSC12 private keys.
(cherry picked from commit 7fba026cd423d02e25cf5c58d60bfd5db145ea51)

M  +10   -2    libs/ui/security/eapmethodtlsbase.ui

http://commits.kde.org/networkmanagement/f6b78e47d72dfeb5e7100cff285e487857ccbd4c

Comment 28 Lamarque V. Souza 2012-07-24 00:57:37 UTC

Git commit d319529a9ab95b18e0c1d4e982b6baa2af4571cf by Lamarque V. Souza.
Committed on 24/07/2012 at 02:55.
Pushed by lvsouza into branch 'master'.

Fix misspelling introduced by commit 7fba026cd423d02e25cf5c58d60bfd5db145ea51.

M  +2    -2    libs/ui/security/eapmethodtlsbase.ui

http://commits.kde.org/networkmanagement/d319529a9ab95b18e0c1d4e982b6baa2af4571cf

Comment 29 Lamarque V. Souza 2012-07-26 14:24:34 UTC

Git commit b4255db35b308aa05d1d6beff9935d5278be908a by Lamarque V. Souza.
Committed on 24/07/2012 at 02:55.
Pushed by lvsouza into branch 'nm09'.

Fix misspelling introduced by commit f6b78e47d72dfeb5e7100cff285e487857ccbd4c.
(cherry picked from commit d319529a9ab95b18e0c1d4e982b6baa2af4571cf)

M  +2    -2    libs/ui/security/eapmethodtlsbase.ui
M  +1    -1    plasma_nm_version.h

http://commits.kde.org/networkmanagement/b4255db35b308aa05d1d6beff9935d5278be908a

Comment 30 Alex Fiestas 2013-02-26 21:57:26 UTC

Is this bug still valid?

Comment 31 Lamarque V. Souza 2013-02-26 22:16:43 UTC

(In reply to comment #30)
> Is this bug still valid?

Yes, read comment #c23

Comment 32 johnsc301 2014-10-02 16:28:25 UTC

I'm having this problem using kdeplasma-applets-plasma-nm 0.9.3.4-3 on Arch Linux
KDE 4.14.1
I'm trying to connect to AirVPN, and they use TLS certificates
When I "connect" to their Canada servers, my ip still shows my current location

However, when I use nm-applet (gnome), the ip changes as it is supposed to

Comment 33 johnsc301 2014-10-02 17:20:10 UTC

The only work around I have is to import my OpenVPN configuration using the gnome applet. After uninstalling the gnome applet altogether, the KDE applet works fine with the connections. But they must be imported using the Gnome applet first.
Note: this is wireless

Comment 34 Andrew Crouthamel 2018-09-04 16:22:29 UTC

Hello! Sorry to be the bearer of bad news, but this project has been unmaintained for many years and I will be closing this bug. Please test again with the latest version and file a new bug in plasma-nm. Thank you!